this post was submitted on 07 Apr 2025
48 points (96.2% liked)

Selfhosted

60426 readers
214 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.

Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.

Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?

What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.

If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] non_burglar@lemmy.world 1 points 1 year ago (1 children)

For simple cases you might be able to use 802.1x authentication if "trust" is the issue. This doesnt scale well as a solution on a larger network though.

[–] marauding_gibberish142@lemmy.dbzer0.com 1 points 1 year ago (1 children)

Hmm, I haven't heard of that before. Could you explain?

[–] non_burglar@lemmy.world 1 points 1 year ago (1 children)

https://en.m.wikipedia.org/wiki/IEEE_802.1X

802.1x are a set of protocols that allow port access to be locked to specific devices, which would preclude your need for multiple subnets. You would likely need a few extra physical ports on your white box router, the unmanaged switch could later become overwhelmed passing traffic in a more complicated setup, and you would still need to keep trusted and untrusted traffic separate at the gateway subnet.

Your use case is exactly why vlans were invented.

However, I suspect from your other answers that you are actually looking for an open source managed switch so your entire networking stack is auditable.

There are a few solutions like opx, but hardware supporting opx is prohibitively expensive and it is almost always cheaper to build a beige box and use Linux or get a 2nd hand supported device and use openwrt.

[–] marauding_gibberish142@lemmy.dbzer0.com 1 points 1 year ago (1 children)

Ah, is that something like sticky ports?

Indeed, I would like to run a switch with a FOSS OS, and I don't see any viable way of doing that. Unfortunate, but whitebox router + switch it is then

[–] non_burglar@lemmy.world 1 points 1 year ago (1 children)

The effect is similar to sticky ports, but sticky ports is just filtering based on Mac address, which can be spoofed.

802.11x allows traffic from a device only if they also have the correct EAP certificate.

I see. I didn't know about this. I have saved your comment, I'll come back to this in a bit